If you use OneDrive to upload files to ChatGPT or Zoom, don’t

OneDrive File Picker is a Microsoft-provided tool that lets websites and web apps integrate with a user’s OneDrive account to allow uploading, browsing, and selecting OneDrive files directly from the app.

An over-privileged OAuth trap

This broad access stems from a limitation in Microsoft’s OAuth implementation within File Picker that researchers described as “a lack of fine-grained permissions scopes.”

Jason Soroko, senior fellow at Sectigo, calls the oversight an over-privileged OAuth trap. “Microsoft’s OneDrive File Picker encourages third-party web apps to request broad files,” he said. “Once issued, those long-lived tokens are often cached in localStorage or back-end databases without any encryption, potentially allowing attackers to trawl an entire tenant’s data.”

OneDrive File Picker’s OAuth implementation requests broad scopes, instead of fine-grained, file-level scopes, allowing users and developers to restrict access to only the files explicitly selected.

What's Hot

Microsoft hires the team of Sequoia-backed AI collaboration platform, Cove

This startup wants to make enterprise software look more like a prompt

The leaderboard “you can’t game,” funded by the companies it ranks

Particle’s AI news app listens to podcasts for interesting clips so you you don’t have to

Why these startup CEOs don’t think AI will replace human roles

What the Epstein files reveal about EV startups and Silicon Valley

College social app Fizz expands into grocery delivery

A Former Apple Luminary Sets Out to Create the Ultimate GPU Software

The Reason Murderbot’s Tone Feels Off

Most Popular